entrouvert/wcs
entrouvert
/
wcs
14
1
Fork 0
Code Issues Pull Requests 39 Releases Activity

saml2: only allow local URLs as redirections (#43279)

This commit is contained in:
Frédéric Péters 2020-05-25 17:32:52 +02:00
parent 66de9cdd5c
commit 05c1573e38
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
tests/test_saml_auth.py
View File

@ -18,6 +18,7 @@ from wcs.qommon.misc import get_lasso_server
from wcs.qommon.saml2 import Saml2Directory
from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir
from wcs.qommon import sessions, x509utils
from wcs.qommon.errors import RequestError
from wcs.roles import Role
from utilities import get_app, create_temporary_pub, clean_temporary_pub
@ -303,12 +304,21 @@ def test_assertion_consumer_redirect_after_url(pub):
def test_assertion_consumer_full_url_redirect_after_url(pub):
req = get_assertion_consumer_request(pub)
req.form['RelayState'] = 'http://example.org/foobar/?test=ok'
req.form['RelayState'] = 'http://example.net/foobar/?test=ok'
saml2 = Saml2Directory()
saml_response_body = req.form['SAMLResponse']
body = saml2.assertionConsumerPost()
assert req.response.status_code == 303
assert req.response.headers['location'] == 'http://example.org/foobar/?test=ok'
assert req.response.headers['location'] == 'http://example.net/foobar/?test=ok'
def test_assertion_consumer_external_url_redirect_after_url(pub):
req = get_assertion_consumer_request(pub)
req.form['RelayState'] = 'http://example.org/foobar/?test=ok'
saml2 = Saml2Directory()
saml_response_body = req.form['SAMLResponse']
with pytest.raises(RequestError):
body = saml2.assertionConsumerPost()
def test_saml_login_page(pub):

3
wcs/qommon/saml2.py
View File

@ -355,6 +355,9 @@ class Saml2Directory(Directory):
netloc = parsed_url.netloc or request.get_server()
after_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query,
parsed_url.fragment))
if not (after_url.startswith(get_publisher().get_backoffice_url()) or
after_url.startswith(get_publisher().get_frontoffice_url())):
raise errors.RequestError()
else:
after_url = get_publisher().get_frontoffice_url()
response.set_status(303)